This is just a suggestion, but I would highly recommend that if it’s possible that you incorporate this idea into your plugin.

By default this plugin creates a directory ‘wpcf7_captcha’ in your ‘uploads’ directory. There it creates a .php and .png file when needed.

Well, users by default have the ability to upload files. If they knew that you were using this plugin and could verify that directory was there, it’s possible that they could upload a shell script there.

My suggestion would be to incorporate the creation of an .htaccess file there with the following contents:

Order Allow,Deny
<FilesMatch "^[0-9]+\.png$">
Allow from all
</FilesMatch>

That way, only the .png files that are created will be accessed via HTTP. Nothing else, not even a double extension. Ideally it would be better to replace the ‘+’ with creation character limit set by the plugin if any. But I couldn’t confirm the limit. Maybe something like {1,15}.